SABSA Implementation

Generic Approach

PART VI

TIME & PERFORMANCEMANAGEMENT CONCEPTS

Scope: Strategy & Planning Phase -Time

Lifecycle Alignment – Demming to SABSA

Architecture Strategy & Planning Phase

Architecture Design Phase

Implementation Phase & Approach

• Implementation is an important part of the lifecycle but the SABSA Matrix does not define a specific implementation layer– No need to re-invent Prince2 or PMI etc.

• Notoriously difficult to gain business support and budget for pure infrastructure projects

• Rare that a major strategic enterprise-wide security architecture is implemented as a single project

• More likely (and more sensible) is that the architecture provides a blue-print and a road-map that guides a whole series of separate implementation projects, each of which is driven by a specific business initiative and funded by a budget associated with that initiative

Manage & Measure Phase – Lifecycle Overlay

• SABSA Architecture traceably abstracts from pure Business Context to:– Pure technical deployment in the Component layer– Pure management in the Service Management layer

• The Service Management layer defines all aspects of security management and constructs the means to manage and incorporate change by being presented vertically across the other layers:– Strategy (Context & Concept Layers)– Tactics (Logical, Physical, & Component Layers)– Operations (Security Service Management Matrix)

Manage & Measure Phase – SSM Matrix

SABSA Development Process

SABSA Risk Management Process Overview

Risk Management and the SABSA Matrix

SABSA Risk Management Activities

SABSA Lifecycle Domain Risk Perspectives

Process Improvement Framework –SABSA Maturity Profile (SMP)

• Coordinates SABSA process information from all parts of the business– Demonstrates due diligence to senior management, auditors and regulators

• Based on Capability Maturity Modelling (CMM) concepts– Qualitative measurement technique for maturity of processes– Six domains mapped onto the SABSA Matrix– Consistent, objective 5-point maturity scale

• Identifies, measures and reports compliance practices– Against the SABSA framework, model and processes– Provides a gap analysis to drive a SABSA improvement programme

• Can be implemented through a web-enabled tool for– Ease of use, wide involvement, quick responses

• Regular use tracks progress and measures changes– Benchmarking against target maturity

SABSA Maturity Profile Process Areas

SMP Process Areas and SMP Process Activities

• Each of the six SMP domains is decomposed into six SMP Process Areas

• These SMP Process Areas map onto the six cells of the row of the SABSA

• Matrix corresponding to the particular SMP domain

• The SMP Process Activities are then derived by overlaying the SABSA

• Service Management Matrix onto the SMP Process Areas

SMP Maturity Levels

SMP Generic Practices

Performance Management Framework

Defining Business-driven Performance Targets

Architecture Measurement Categories

• Completeness– Do we have all of the

components?– Do they form an integrated

system?

• Assurance– Does the system run

smoothly?– Are we assured that it is

properly assembled?– Is the system fit-for-purpose?

• Compliance– Do we maintain the system?

– Do we follow the architecture roadmap

– Do we comply with the rules?

• Performance– Is the system properly tuned?– Do the components work

together?– Do we operate the system

correctly?

• Justification & significance– Does the system have

business value?

Measurement Approaches

• High level statements of the approach to obtaining a measurement

• Appropriate to the business need

• In the language of the intended audience

• Culturally specific

Measurement Guidelines

• Measurement should be a repeatable process (for comparison & prediction)

• Measurement should have a clear communications role

• Tracking performance

• Assigning resources

• Measurement should yield quantifiable metrics (percentage, average, numbers, values, etc.)

Metrics Guidelines

• Data used to calculate metrics should be readily obtainable

• Metrics may (should) be calculated independently of parties with vested interest

• The type of metric used may change in line with the maturity of the security process e.g. when you are highly compliant, consider changing from conformance measure to significance measure

• Performance metric / trend should be tested prior to going ‘live’

• Expectations management is key

Types of Metric

• Soft Metrics– Usually qualitative

– Subjective

– Open to interpretation and opinion (usually of the authority setting the target or of an official compliance agent such as a regulator or auditor)

• Hard Metrics– Usually quantitative

– Objective

– Fixed, not open to opinion or interpretation

Types of Metric

• Descriptive– Describes the current-state of the object / attribute

being measured

• Comparative– Describes the current-state of the object / attribute

being measured in comparison with a similar object / attribute relating to a different place and/or time

• Predictive– Describes the current-state of the object / attribute

being measured in relation to its trend in order to project and predict afuture state

Conceptual Measures & Metrics Framework

SABSA Vitality Framework

END OF PART VI